Skip to content

Search the site

Bank of England dumps controversial vulnerability disclosure rule

Regulators admit that forcing critical third-party firms to "openly" share vulns would "go against" plan to reduce systemic risk and boost operational resilience.

The Bank of England has dramatically reversed plans to force companies that keep the UK's financial system running to "openly highlight" vulnerabilities to regulators and other firms.

In a key policy statement released yesterday, the Bank admitted that proposals to force "critical third parties" to disclose "unremedied" vulnerabilities could hand threat actors actionable intel that allows them to strike at the heart of Britain's financial system.

The rules were originally intended to reduce "systemic risk" and improve "operational resilience", but regulators confessed that pushing firms to publically share details of bugs would "go against" this objective.

It even confessed to failing to define the concept of a vulnerability properly after raising the ire of cybersecurity professionals who criticised its use of an "ordinary-language" definition.

In its original operational resilience consultation paper published in December 2023 year, the Bank joined with the Financial Conduct Authority and Prudential Regulation Authority (PRA) to set rules which "manage potential risks" to the UK financial system created by the failure or disruption of the services provided by critical third parties - which includes financial market infrastructure entities (FMIs) that allow the clearing, settlement, and recording of financial transactions.

These firms process millions of transactions every day and are often referred to as "the plumbing of the financial system", operating the networks that allow payments and other financial transactions to take place.

If one of these institutions went down, it could cause a cascading disaster that causes other key providers to collapse, threatening the foundations of the financial system and potentially causing major economic damage.

Cloud providers were mentioned in the initial proposals, with the Bank's Financial Policy Committee noting that "high concentration in the market for cloud services" means that "disruption at one provider, for example, due to cyber-attack, could interfere with the provision of vital services by several firms". However, it is not yet clear which organisations will be designated as critical third parties and therefore subject to the new rules.

An own goal for operational resilience

Yesterday, the Old Lady of Threadneedle published responses to its initial plans, which did not mention cloud firms specifically.

Most respondents "supported" plans for a new oversight regime managing critical third parties and "welcomed the regulators’ proposed approach to delivering it, which they described as proportionate, reasonable, and robust" - with only one challenging the plans and another questioning "the regulators’ competency to provide such oversight."

However, security experts demanded more precision about the term "vulnerability", which they described as meaning "a weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats". They were also deeply worried about plans to force disclosure of these vulns.

"In various parts of the regulators’ draft rules and draft supervisory statement, ‘vulnerability’ was used in a general, ordinary-language sense," the Bank wrote.

"Respondents were particularly concerned about potential requirements or expectations on critical third parties to disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to the firms they provide systemic third party services, as this could increase the risk of threat actors exploiting these vulnerabilities, which would go against the overall objective."

The Bank has now reviewed all uses of the term in its rules and replaced the wrongly defined word vulnerability with "areas of improvement", as well as removing "any requirements and expectations" to "disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to the firms they provide systemic third party services to."

Tackling systemic risks

Summing up the rules on LinkedIn, Francesco Fulcoli, Chief Compliance and Risk Officer at Flagstone, wrote: "Disruptions caused by cyber-attacks, power outages, or system failures could cascade through the financial system, undermining public confidence and economic stability.

"The new regime complements existing operational resilience and outsourcing rules. Firms must still ensure they manage risks effectively, but the oversight regime adds an essential layer of protection by directly regulating the resilience of CTPs."

The new rules "align closely" with international standards such as the EU’s Digital Operational Resilience Act, wrote John Ho, Head of Legal and Financial Markets at Standard Chartered Bank.

"The final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole," he continued. "By strengthening resilience and promoting market stability, this will ensure the UK is an attractive place to do business."

In a statement, the FCA warned: "Regulated firms must continue to make sure they are resilient, even when they rely on third parties, in line with our existing operational resilience rules."

Get in touch with jasper@thestack.technology to let us know how the rules are affecting you or highlight any challenges your company is encountering.

READ MORE: Bank of England warns on expanded operational resilience regime – cloud providers put on notice

Latest